o Df@spddlZddlmZmZddlmZmZddlmZmZm Z m Z ddl m Z e eZdZGd d d eeZdS) N)jwt JoseError) BaseGrantTokenEndpointMixin)UnauthorizedClientErrorInvalidRequestErrorInvalidGrantErrorInvalidClientErrorsign_jwt_bearer_assertionz+urn:ietf:params:oauth:grant-type:jwt-bearerc@szeZdZeZddiddiddidZe  dddZddZd d Z d d Z d dZ ddZ ddZ ddZddZdS)JWTBearerGrant essentialT)issaudexpNcKst|||||||fi|S)Nr )keyissueraudiencesubject issued_at expires_atclaimskwargsrZ/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc7523/jwt_bearer.pysigns  zJWTBearerGrant.signc CsTztj||j|jd}|W|Sty)}z td|t|j dd}~ww)a#Extract JWT payload claims from request "assertion", per `Section 3.1`_. :param assertion: assertion string value in the request :return: JWTClaims :raise: InvalidGrantError .. _`Section 3.1`: https://tools.ietf.org/html/rfc7523#section-3.1 )claims_optionszAssertion Error: %r descriptionN) rdecoderesolve_public_keyCLAIMS_OPTIONSvalidaterlogdebugr r )self assertionrerrrprocess_assertion_claims"s    z'JWTBearerGrant.process_assertion_claimscCs||d}||||S)Nr)resolve_issuer_clientresolve_client_key)r'headerspayloadclientrrrr"6sz!JWTBearerGrant.resolve_public_keycCs|jjd}|s td||}||d}td|||j s(t ||j_ | |d}|r[| |}|sCtddtd|||||sUtd d||j_d Sd S) aThe client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per `Section 2.1`_: grant_type REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant-type:jwt-bearer". assertion REQUIRED. Value MUST contain a single JWT. scope OPTIONAL. The following example demonstrates an access token request with a JWT as an authorization grant: .. code-block:: http POST /token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] .. _`Section 2.1`: https://tools.ietf.org/html/rfc7523#section-2.1 r(zMissing "assertion" in requestrzValidate token request of %ssubz Invalid "sub" value in assertionrz'Check client(%s) permission to User(%s)z,Client has no permission to access user dataN)requestformgetrr*r+r%r&check_grant_type GRANT_TYPErr/validate_requested_scopeauthenticate_userr has_granted_permissionr user)r'r(rr/rr9rrrvalidate_token_request:s,        z%JWTBearerGrant.validate_token_requestcCs@|j|jj|jjdd}td||jj||d||jfS)zZIf valid and authorized, the authorization server issues an access token. F)scoper9include_refresh_tokenzIssue token %r to %r) generate_tokenr1r;r9r%r&r/ save_tokenTOKEN_RESPONSE_HEADER)r'tokenrrrcreate_token_responsess  z$JWTBearerGrant.create_token_responsecCt)a1Fetch client via "iss" in assertion claims. Developers MUST implement this method in subclass, e.g.:: def resolve_issuer_client(self, issuer): return Client.query_by_iss(issuer) :param issuer: "iss" value in assertion :return: Client instance NotImplementedError)r'rrrrr+ z$JWTBearerGrant.resolve_issuer_clientcCrC)auResolve client key to decode assertion data. Developers MUST implement this method in subclass. For instance, there is a "jwks" column on client table, e.g.:: def resolve_client_key(self, client, headers, payload): # from authlib.jose import JsonWebKey key_set = JsonWebKey.import_key_set(client.jwks) return key_set.find_by_kid(headers['kid']) :param client: instance of OAuth client model :param headers: headers part of the JWT :param payload: payload part of the JWT :return: ``authlib.jose.Key`` instance rD)r'r/r-r.rrrr,sz!JWTBearerGrant.resolve_client_keycCrC)a%Authenticate user with the given assertion claims. Developers MUST implement it in subclass, e.g.:: def authenticate_user(self, subject): return User.get_by_sub(subject) :param subject: "sub" value in claims :return: User instance rD)r'rrrrr7rFz JWTBearerGrant.authenticate_usercCrC)aCheck if the client has permission to access the given user's resource. Developers MUST implement it in subclass, e.g.:: def has_granted_permission(self, client, user): permission = ClientUserGrant.query(client=client, user=user) return permission.granted :param client: instance of OAuth client model :param user: instance of User model :return: bool rD)r'r/r9rrrr8s z%JWTBearerGrant.has_granted_permission)NNNN)__name__ __module__ __qualname__JWT_BEARER_GRANT_TYPEr5r# staticmethodrr*r"r:rBr+r,r7r8rrrrrs$ 9   r)logging authlib.joserrrfc6749rrrrr r r(r getLoggerrGr%rJrrrrrs